Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Does F5 encrypts traffic internally from a VS to another VS ?

Jad_Tabbara__J1
Cirrostratus
Cirrostratus

Dear community, 

 

Context

VS_Parent with clientssl + serverssl profiles and an iRule (that is responsible for routing the traffic to the child VSs based on the FQDN for example) 

VS_Child1  has clientssl + serverssl profiles 

VS_Child2 has clientssl + serverssl profiles  

 

All VSs are on the same BIGIP. 

Client < Encrypted Channel 1 > VS_Parent < Encrypted Channel 2 > VS_Child1 or VS_Child2 < Encrypted Channel 3 > Pool_Member 

 

Question

Based on the theory, the BIG-IP should have 3 encrypted channels

To confirm that, I've done a "tcpdump" on the child VS to see if the traffic is encrypted. I can't see any SSL packet using Wireshark. 

Does F5 encrypts traffic routed from a VS_Parent to a VS_Child ? Or it doesn't encrypt it, in order to optimize resource utilization ? 

 

Thanks for your help 

 

Jad

 

 

1 ACCEPTED SOLUTION

youssef1
Cumulonimbus
Cumulonimbus

Hi Jad,

 

I had already asked myself the question.

 

So Yes, F5 encrypts traffic routed from a VS_Parent to a VS_Child.

 

I validate my supposition by removing SSL Client in VS_Child  and noticed that access to my service was not functional.

 

Additional you can use my Debug irule (hosted in devcentral) that allow you to see that Cipher/protocol used in both VS (Child an parent).

 

I advise you to process a ssldum using this kb:

 

https://support.f5.com/csp/article/K10209

 

So in child vs, initiate a basic capture:

 

tcpdump -vvv -s 0 -nni external -w /var/tmp/www-ssl-client.cap host 10.1.1.100 and port 443

 

then check ssl exchange:

 

ssldump -nr /var/tmp/www-ssl-client.cap

 

keep me in touch.

 

regards,

View solution in original post

3 REPLIES 3

youssef1
Cumulonimbus
Cumulonimbus

Hi Jad,

 

I had already asked myself the question.

 

So Yes, F5 encrypts traffic routed from a VS_Parent to a VS_Child.

 

I validate my supposition by removing SSL Client in VS_Child  and noticed that access to my service was not functional.

 

Additional you can use my Debug irule (hosted in devcentral) that allow you to see that Cipher/protocol used in both VS (Child an parent).

 

I advise you to process a ssldum using this kb:

 

https://support.f5.com/csp/article/K10209

 

So in child vs, initiate a basic capture:

 

tcpdump -vvv -s 0 -nni external -w /var/tmp/www-ssl-client.cap host 10.1.1.100 and port 443

 

then check ssl exchange:

 

ssldump -nr /var/tmp/www-ssl-client.cap

 

keep me in touch.

 

regards,

Hello Youssef,

 

Thanks for your answer. Using the "tcpdump + ssldump" I can see the SSL Handshake on the VS_CHILD...

 

Before posting my question, I've done same capture using tcpdump, but I used Wireshark to see the SSL Handshake.

 

My wireshark was not parsing the SSL traffic correctly, indeed using my colleague Wireshark we can see the SSL Handshake. I will re-install my wireshark to correct this.

 

So the issue come from my wireshark 😄

 

Thank you you helped me to answer 2 questions in one 😛

 

Regards

youssef1
Cumulonimbus
Cumulonimbus

Hello Jad,

 

Glad to have been able to bring you my help my dear.

 

Regards